IntSights' Blog

IntSights’ Findings on the German Government’s Data Breach

Last week, German media, including newspaper Bild and broadcasting company RBB, reported on a breach in German Parliament, which resulted in the exposure of thousands of private and confidential files to the general public. Here is our summary of the breach, including details about the attacker and a first-hand look at the data that was stolen.

Breach Timeline

Details of the breach began to unfold in early December 2018. At this time, Twitter account G0d (@_0rbit) published, in a daily manner, links containing sensitive documents, personal information of politicians and media figures. The information was also posted to a personal blog belonging to @_0rbit.

Figure 1: G0d (@_0rbit) Twitter Profile

The severity of leaked information gradually increased, beginning with private information of celebrities and media figures, but later scaled to the personal data of members of political parties. Affected parties included Christian Democrats, Christian Social Union, Social Democrats, Free Democratic party, Bavarian sister party, the Left party and Greens.

Since publishing the leaked information, Twitter has taken down the posts and the profile, however, the IntSights platform scraped the data prior– enabling us to obtain the original files before they were taken down.

Figure 2: @_0rbit Blog

As soon as the leaked files were obtained, our team began to analyze the compromised data, which varies from mere names and phone numbers, to full PII dumps including IDs, email contents, Facebook contents, phone activity, accounting information etc.

The documents also vary from publicly available to confidential, but a majority of the information is of private nature, years old and does not contain details of political agendas. This likely means that the data was gathered from several sources and not from one big database.

Figures 3-5: Leaked Documents

Who Was Behind the Attack?

While there is currently no proof of who planned and performed the hack, some of the files in the leak reference @NfoR00t – a hacker with a history of doxing and defacing. Knowing this, it is likely that @NfoR00t is the same person behind @_0rbit. Additional aliases could include:

G0d@_0rbit

'r00t OF 0rbit'

nullr0uter

r00taccess

NFOr00t

jitachi

dennis567

p0wer

Figure 6: Hacker's Signature from Leaked Files

Figure 7: NfoR00t AKA Nullr0uter

The first evidence of the hacker’s activities dates back to the summer 2015 when he published DOXing of well-known YouTube personalities.

At this time, it is still unclear as to how the hacks have been made, but the IntSights team will continue to investigate the situation and publish further results accordingly.

UPDATE: Suspect Arrested in Germany Data LeakA 20-year-old man has been arrested on suspicion of being responsible for the German government data breach. Read more here.

Subscribe to the IntSights to stay up to date on the latest news and best practices!

Andrey Yakovlev is a Security Researcher at IntSights, focused on intelligence hunting from the Russian Dark Web. He is an experienced professional with over 6 years of experience in the cyber security field. Andrey specializes in threat discovery, computer forensics and behavioral analysis of Trojans.

Revolutionizing cybersecurity with the first of its kind enterprise threat intelligence and mitigation platform that drives proactive defense by turning tailored threat intelligence into automated security action.